[olug] ssh vulnerability anounced today.
Daniel G. Linder
dlinder at iprevolution.net
Tue Sep 16 19:12:55 UTC 2003
Brian Roberson [mailto:roberson at olug.org] wrote:
> http://www.openssh.org/
> http://www.openssh.com/txt/buffer.adv
You can download the latest version from the OpenSSH site:
http://www.openssh.com/portable.html. In my case, the RH 9.0 RPMs are
available here.
In my case, I was able to download all the new 3.7 binaries, do an "sudo
rpm -Uvh" to upgrade/install them, and then do a "sudo /etc/init.d/sshd
restart" to stop the old 3.5 sshd binary and restart. Now when I telnet
to port 22, I am greeted with the following:
$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.7p1
^]
telnet> quit
Connection closed.
Note the line "SSH-1.99-OpenSSH_3.7p1". From what I understand, the
3.7p1 was released today and is not vulnerable to this bug.
I am making these available on my FTP server: ftp.linder.org in
/pub/ssh3.7p1
Dan
P.S. For anyone running debian stable, I believe the commands are (as
root):
apt-get update
apt-get upgrade
More information about the OLUG
mailing list